Drone, docker and ECR

jedineeper · April 25, 2020, 4:28pm

Hi,

In the plugin/ecr documentation it has a setting value called “region” which refers (assumed by me) to the AWS region of the registry I want to push to.

I’ve found that this value is ignored when run on an EKS cluster within AWS and the code for the ecr plugin seems (to me, I make no claims as a programmer) that the only input to region is via environment variable and if it’s not specified it defaults out to us-east-1. https://github.com/drone-plugins/drone-docker/blob/master/cmd/drone-ecr/main.go#L20-L41.

Here’s what I’m trying

example pipeline step;

  - name: publish-image
    image: plugins/ecr
    settings:
      repo: 0000000000.dkr.ecr.eu-west-2.amazonaws.com/helloworld
      tags: ${DRONE_COMMIT_SHA}
      registry: 0000000000.dkr.ecr.eu-west-2.amazonaws.com
      region: eu-west-2
    environment:
      AWS_REGION: eu-west-2

drone-config:

drone 1.7.0 using drone-kube-runner: linux-amd64 (digest: ad8913f8381d) on an EKS v1.15 cluster.

DRONE_SERVICE_ACCOUNT_DEFAULT is set on the runner to specify a service account that has IAM role to push to ECR but the default node role does not have such access.

expected result:

I would expect region as a setting to be respected and AWS_REGION as an env-var to be unnecessary in this case, especially as its undocumented.

error returned:

If I don’t specify the env-var I get the following error at runtime which is a failure/lack to assume the correct role via STS that’s assigned to the runner. (The role in the error is not the one given to the runner)

The push refers to repository [0000000000.dkr.ecr.eu-west-2.amazonaws.com/helloworld]
188fc3f84af0: Preparing
denied: User: arn:aws:sts::0000000000:assumed-role/node-iam-role/i-0000000000 is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:eu-west-2:0000000000:repository/helloworld
time="2020-04-25T15:52:18Z" level=fatal msg="exit status 1"

This error is limited to this particular step, I have a repro case that shows the correct role is in play for the runner.

Obviously I can make it work by specifying AWS_REGION as a variable, but the region is already mentioned 3 times in this step and I love removing duplication.

I hope that’s enough detail - is this an issue or am I doing something wrong somewhere?

Thanks,
Craig

Topic		Replies	Views
ECR credentials not being utilized Drone Support	5	1275	May 31, 2019
Plugins/ecr region mismatch Drone Support	5	242	October 22, 2020
Drone 1.0 and AWS ECR going forward Drone Support	21	4297	June 2, 2021
Drone ECR Plugin Drone Support	0	540	April 25, 2019
Trouble with 1.0.0-rc.2 and plugins/ecr Drone Support	6	791	January 19, 2021

Drone, docker and ECR

Related topics